Recorded Future Identity
The Recorded Future Identity Intelligence Connector enables security and IT teams to detect identity compromises, for both employees and customers. To do this, Recorded Future automates the collection, analysis, and production of identity intelligence from a vast range of sources. Through this connector, organizations can incorporate identity intelligence into automated workflows (e.g., password resets) with applications such as Microsoft Entra ID and Microsoft Sentinel.
This connector is available in the following products and regions:
| Service | Class | Regions |
|---|---|---|
| Logic Apps | Standard | All Logic Apps regions |
| Power Automate | Premium | All Power Automate regions |
| Power Apps | Premium | All Power Apps regions |
| Contact | |
|---|---|
| Name | Recorded Future Support |
| URL | https://support.recordedfuture.com |
| support@recordedfuture.com |
| Connector Metadata | |
|---|---|
| Publisher | Recorded Future |
| Website | https://www.recordedfuture.com |
| Privacy Policy | https://www.recordedfuture.com/privacy-policy/ |
| Categories | AI;Data |
The Recorded Future Identity Intelligence Connector enables security and IT teams to detect identity compromises, for both employees and customers. To do this, Recorded Future automates the collection, analysis, and production of identity intelligence from a vast range of open source, dark web, and technical sources; this approach produces real-time intelligence at massive scale, offering an unmatched source of truth for identity authenticity. Through this connector, organizations can incorporate identity intelligence into automated workflows (e.g., password resets) with applications such as Azure Active Directory and Microsoft Sentinel.
Prerequisites
To enable the Recorded Future Identity for Microsoft Azure integration, users must be provisioned a Recorded Future API token. Please reach to your account manager to obtain the necessary API token.
Known issues and limitations
N/A
Creating a connection
The connector supports the following authentication types:
| Default | Parameters for creating connection. | All regions | Not shareable |
Default
Applicable: All regions
Parameters for creating connection.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
| Name | Type | Description | Required |
|---|---|---|---|
| API Key | securestring | The key for this API | True |
Throttling Limits
| Name | Calls | Renewal Period |
|---|---|---|
| API calls per connection | 100 | 60 seconds |
Actions
| Credential Lookup - Look up credential data for one or more users |
Look up exposed credential data for a specific set of subjects |
| Credential Search - Search credential data for one or more domains |
Search credential data exposed in data dumps and through malware logs |
Credential Lookup - Look up credential data for one or more users
Look up exposed credential data for a specific set of subjects
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Emails
|
subjects | array of string |
List of email addresses to look up |
|
|
Hashed emails
|
subjects_sha1 | array of string |
List of hashed email addresses to look up |
|
|
Username
|
login | string |
Either input username or hash of username |
|
|
Hash of username
|
login_sha1 | string |
Either input username or hash of username |
|
|
Domain
|
domain | string |
domain.com |
|
|
From
|
first_downloaded_gte | string |
YYYY-MM-DD (until today) |
|
|
Credential properties
|
properties | array of string |
Filter on credential properties |
|
|
Breach name
|
name | string |
E.g. Cit0day |
|
|
Breaches from
|
date | string |
YYYY-MM-DD (until today) |
|
|
Dump name
|
name | string |
E.g. XSS.is Dump 2021 |
|
|
Dumps from
|
date | string |
YYYY-MM-DD (until today) |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
Exposed credentials
|
exposed_credentials | array of object |
List of exposed credentials |
|
signature
|
exposed_credentials.signature | string |
Requested signature |
|
exposed_secret_format
|
exposed_credentials.exposed_secret_format | string |
Format of the exposed secret. Either the hash algorithm or clear for cleartext. |
|
first_seen
|
exposed_credentials.first_seen | string |
Date when the signature was first seen exposed |
|
last_seen
|
exposed_credentials.last_seen | string |
Date when the signature was last seen exposed |
|
clear_text_hint
|
exposed_credentials.clear_text_hint | string |
First two letters of the exposed secret. Only available for secrets exposed in clear text |
|
secret_properties
|
exposed_credentials.secret_properties | array of string |
Properties of the clear text |
|
secret_rank
|
exposed_credentials.secret_rank | string |
Any common password collections the password is part of |
|
secret_hashes
|
exposed_credentials.secret_hashes | array of object | |
|
algorithm
|
exposed_credentials.secret_hashes.algorithm | string |
Hash algorithm used |
|
hash
|
exposed_credentials.secret_hashes.hash | string |
Hash value |
|
Malware family
|
exposed_credentials.malware_family | string |
Family of malware used to extract the credentials |
|
dumps
|
exposed_credentials.dumps | array of object |
List of data dumps in which the signature has been involved. |
|
name
|
exposed_credentials.dumps.name | string |
Name of the dump |
|
description
|
exposed_credentials.dumps.description | string |
Description of the dump |
|
downloaded
|
exposed_credentials.dumps.downloaded | string |
Date when the dump was downloaded |
|
type
|
exposed_credentials.dumps.type | string |
Type of the dump |
|
breaches
|
exposed_credentials.dumps.breaches | array of object |
List of data breaches related to the dump |
|
name
|
exposed_credentials.dumps.breaches.name | string | |
|
domain
|
exposed_credentials.dumps.breaches.domain | string | |
|
type
|
exposed_credentials.dumps.breaches.type | string | |
|
breached
|
exposed_credentials.dumps.breaches.breached | string | |
|
start
|
exposed_credentials.dumps.breaches.start | string | |
|
stop
|
exposed_credentials.dumps.breaches.stop | string | |
|
precision
|
exposed_credentials.dumps.breaches.precision | string | |
|
description
|
exposed_credentials.dumps.breaches.description | string | |
|
site_description
|
exposed_credentials.dumps.breaches.site_description | string |
Credential Search - Search credential data for one or more domains
Search credential data exposed in data dumps and through malware logs
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Domains
|
domains | array of string |
List of domains to search |
|
|
Credential type
|
domain_type | string |
Select credential type |
|
|
From
|
latest_downloaded_gte | string |
YYYY-MM-DD (until today) |
|
|
Credential properties
|
properties | array of string |
Filter on credential properties |
|
|
Breach name
|
name | string |
E.g. Cit0day |
|
|
Breaches from
|
date | string |
YYYY-MM-DD (until today) |
|
|
Dump name
|
name | string |
E.g. XSS.is Dump 2021 |
|
|
Dumps from
|
date | string |
YYYY-MM-DD (until today) |
|
|
Offset
|
offset | string |
Records from offset |
|
|
Results
|
limit | number |
Maxiumum number of results |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
Credential dumps
|
credential_dumps | array of string |
List of credentials exposed in data dumps |
|
Malware logs
|
malware_logs | array of object |
List of credentials exposed through malware logs |
|
Login
|
malware_logs.login | string |
Login username |
|
Domain
|
malware_logs.domain | string |
Login domain |
|
Count
|
count | number |
Number of returned credentials |
|
Next offset
|
next_offset | string |
Offset used to request succeeding records |